This is very simple but strong policy include port-scanner, ddos detection , ssh and telnet control ...
/ip firewall filter
add chain=input log=yes log-prefix="Access NAS" src-address=XXX.XXX.XXX.XXX
add action=jump chain=forward connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=return chain=detect-ddos src-address=XXX.XXX.XXX.XXX/XX
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m chain=detect-ddos
add action=drop chain=forward connection-state=new dst-address-list=ddosed src-address-list=ddoser
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=\
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" src-address-list="port scanners"
add chain=input comment="Accept established connections" connection-state=established
add chain=input comment="Accept related connections" connection-state=related
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add chain=input comment=UDP protocol=udp
add chain=input comment="Allow limited pings" limit=50/5s,2 protocol=icmp
add action=drop chain=input comment="Drop excess pings" protocol=icmp
add action=add-src-to-address-list address-list=SSH-ACCESS chain=input comment="SSH for secure shell" dst-port=22 log=yes log-prefix=SSH- protocol=tcp
add action=add-src-to-address-list address-list=TELNET-ACCESS chain=input comment="TELNET for telnet users" dst-port=23 log=yes log-prefix=TELNET- protocol=tcp
add action=drop chain=input comment="SSH Drop" in-interface=VLAN804 log=yes log-prefix=SSH-DROP src-address-list=SSH-ACCESS
add action=drop chain=input comment="TELNET Drop" in-interface=VLAN804 log=yes log-prefix=TELNET-DROP src-address-list=TELNET-ACCESS
add chain=input comment=winbox dst-port=8291 protocol=tcp
add chain=input comment=Gre protocol=gre
add chain=input comment=PPTP dst-port=1723 protocol=tcp
add action=log chain=input comment="Log everything else" log-prefix="DROP INPUT"
add action=drop chain=input comment="Drop everything else"
/ip firewall filter
add chain=input log=yes log-prefix="Access NAS" src-address=XXX.XXX.XXX.XXX
add action=jump chain=forward connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=return chain=detect-ddos src-address=XXX.XXX.XXX.XXX/XX
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m chain=detect-ddos
add action=drop chain=forward connection-state=new dst-address-list=ddosed src-address-list=ddoser
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=\
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" src-address-list="port scanners"
add chain=input comment="Accept established connections" connection-state=established
add chain=input comment="Accept related connections" connection-state=related
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add chain=input comment=UDP protocol=udp
add chain=input comment="Allow limited pings" limit=50/5s,2 protocol=icmp
add action=drop chain=input comment="Drop excess pings" protocol=icmp
add action=add-src-to-address-list address-list=SSH-ACCESS chain=input comment="SSH for secure shell" dst-port=22 log=yes log-prefix=SSH- protocol=tcp
add action=add-src-to-address-list address-list=TELNET-ACCESS chain=input comment="TELNET for telnet users" dst-port=23 log=yes log-prefix=TELNET- protocol=tcp
add action=drop chain=input comment="SSH Drop" in-interface=VLAN804 log=yes log-prefix=SSH-DROP src-address-list=SSH-ACCESS
add action=drop chain=input comment="TELNET Drop" in-interface=VLAN804 log=yes log-prefix=TELNET-DROP src-address-list=TELNET-ACCESS
add chain=input comment=winbox dst-port=8291 protocol=tcp
add chain=input comment=Gre protocol=gre
add chain=input comment=PPTP dst-port=1723 protocol=tcp
add action=log chain=input comment="Log everything else" log-prefix="DROP INPUT"
add action=drop chain=input comment="Drop everything else"
